The introduction of the European Union’s General Data Protection Regulation (GDPR) in May 2018 held a lot of promise and boasted a lofty goal: Promote a common privacy culture throughout Europe. More than two years later and despite various reports and reviews revealing some progress, issues and concerns remain about the GDPR’s implementation and enforcement.
Do these preliminary bumps prove that a universal data protection framework is ultimately not feasible? Not necessarily. The GDPR is still credited for harmonizing data protection laws throughout the EU and prompting copycat privacy regulations worldwide, including the California Consumer Privacy Act (CCPA) in the US. But a truly balanced look at the law’s impact must include its challenges.
Before the GDPR went into effect, companies were anxious about implementing, and paying for, a seemingly open-ended range of new compliance measures. We’ll never know how much companies spent initially—both in terms of financial resources and time—to comply, as each company is different, but some estimate it was in the billions.
Consider a couple of examples that back up this estimate. In a blog post, Microsoft reported that it had dedicated more than 1,600 engineers across the company to work on GDPR projects. In September 2018, when some big tech companies testified before the US Senate, Google’s chief privacy officer, Keith Enright, estimated that Google had spent “hundreds of years of human time” to comply with the GDPR. Hard to measure these examples in dollars, but they still sound like lots of time and money were spent.
Maintaining GDPR compliance has not come cheaply either. The International Association of Privacy Professionals (IAPP) reported on the first anniversary of the GDPR in May 2019 that approximately 500,000 European organizations had registered data protection officers (DPOs). Combine this with the IAPP’s 2019 salary survey, which found that the average DPO’s salary in Europe is $88,000, and that’s a high price tag even when viewed through the most conservative lens.
Why expend countless hours and resources to comply with this far-reaching regulation? Companies will market their commitment to protecting customers’ personal information, which is probably true even if it’s not the whole truth.
The GDPR has a forceful enforcement hammer. If a company fails to comply, it can face severe fines —up to €20 million ($23.7 million) or 4 percent of annual global turnover, whichever is higher. A few companies have already experienced how harsh GDPR non-compliance can be. Understandably, this looming threat leaves most companies no other option but to want to comply.
Preliminary Report Cards
Has the GDPR lived up to expectations? Below is a summary of reviews and reports that provide insights on the GDPR’s performance to date.
January 2019. The European Data Protection Board (EDPB) releases an infographic on key statistics compiled in the first nine months of the GDPR. The numbers show increased awareness: The GDPR was googled more often than Beyoncé or Kim Kardashian in May 2018 and got more media coverage than Mark Zuckerberg in 2018. The numbers also reveal that issues and concerns are being reported (95,180 complaints and 41,502 data breach notifications). And in the first nine months, enforcement has already garnered three fines, including Google’s 50 million euro fine.
February 2019. The EDPB releases an “overview” of GDPR implementation, finding that in the first nine months, “the GDPR cooperation and consistency mechanism work quite well in practice.”
March 2019. A report finds that 25 out of 28 of the EU’s official websites may not be GDPR compliant due to some companies tracking visitors to these government portals without obtaining the individuals’ consent.
May 2019. On the occasion of the GDPR’s first birthday, the European Commission releases the #HAPPYBIRTHDAYGDPR infographic. This unusual birthday card marks the milestone with GDPR compliance numbers in its first year: 67% of EU citizens had heard of the GDPR; 144,376 data breach complaints and 89,271 data breaches had been reported; and 25 EU member states had adopted the required national legislation with only three outliers (Greece, Slovenia, and Portugal).
July 2019. The European Commission publishes a preliminary assessment on GDPR compliance and highlights some concerns about outlier states, resource constraints, and application challenges that could result in inconsistent enforcement.
February 2020: The EDPB provides input on the evaluation of the GDPR due under Article 97 (see below).
Bloomberg Law Survey
In late 2019, Bloomberg Law surveyed small and large organizations on their GDPR compliance readiness. The results were summarized earlier this year, highlighting some of the common concerns of the 146 respondents.
In terms of specific challenges to implementation, most wished they had more time to prepare, coveted more resources, faced challenges with third-party compliance, and found the GDPR requirements hard to understand.
The survey also revealed that less than half of the respondents (44%) could rate themselves as fully compliant with the GDPR.
More troubling, the survey revealed that nearly 59% of the respondents were not ready for a GDPR audit or inspection.
Take note that some of the concerns cited from the Bloomberg Law survey, i.e., implementation challenges, clarity and complexity, and resource constraints, will mirror those mentioned in the GDPR’s first official implementation report discussed below.
First Official Report Card: Article 97 Report
In June, the European Commission delivered its first required Article 97 evaluation report on the GDPR, two years after it took effect. (There was a slight delay in issuance due to the Covid-19 pandemic.) The commission opted to go beyond Article 97 requirements for the report but was careful not to draw any definitive conclusions about the GDPR’s performance, noting that two years was not sufficient to make this determination.
Starting with the good news for data protection, the commission’s overall view of the GDPR is that it is generally meeting its objectives in a few ways. It is helping to protect personal data and improving the free flow of personal data within the EU. In doing so, the GDPR is also serving as a data protection model for non-EU countries.
However, the commission also flagged areas for improvement and offered a list of actions to help remediate the noted issues. The commission will monitor these areas and likely share its findings in the next evaluation report.
Enforcement. The commission grades the supervisory authorities’ efforts thus far as “balanced” in their approach to enforcement, but wants them to do more with the tools available. A recommended area to improve is the handling of joint investigations through a common approach.
Resources. The commission notes that many supervisory authorities lack the resources needed to regulate and enforce the GDPR effectively. The commission calls on the EU member states to provide their supervisory authorities with more (human, technical, and financial) resources to carry out their responsibilities more effectively.
Fragmentation. The commission warns against the troubling trend of different national data protection laws, as EU member states are permitted under the GDPR to legislate individually in some areas. The commission is concerned that continued promulgation of laws that either conflict with or exceed the GDPR’s requirements may lead to divergent application and enforcement approaches and, as a result, unnecessary compliance burdens. Examples noted include: 1) the national variations on the age of consent for minors, 2) the right to protect personal data related to freedom of expression/information, and 3) the overuse of derogations available under Article 49 of the GDPR. The commission recommends instead using Article 40 codes of conduct to create a more harmonized approach in applying these rights and to facilitate cross-border processing across the EU.
Data Subjects’ Rights. The commission acknowledges the increased awareness of privacy rights under the GDPR, but recommends more measures to encourage the use of the law’s protections. The right of data portability is an example of a right not being used enough according to the commission.
New Technologies. The commission report notes that the GDPR’s principle-based model should be able to cover new technologies. And while there may be some challenges in applying the GDPR to evolving technologies, the commission expects the supervisory authorities to monitor their development, particularly those involved in online advertising and targeting.
International Data Transfers. The commission covers existing adequacy decisions and others in progress, referencing the European Court of Justice’s then-upcoming decision in the Schrems II case. Following the report’s release, the ECJ’s decision was delivered and has added new obligations and headaches for transferring data from the EU.
International Cooperation. The commission indicates that it will continue discussions with other governments to enhance cooperation, including plans to establish a forum for sharing knowledge and best practices to promote international cooperation in data protection.
From fragmentation to lack of resources to the need for clarity and consistency, companies and authorities share common challenges and can navigate these hurdles together.
This collaboration will require more engagement and sharing of concerns as well as best practices. Enforcement and rulemaking activities should not be the sole opportunity for this collaboration to take place. Hopefully, these efforts to find more efficient and effective measures to facilitate GDPR compliance will start well before the next report card is due in 2024.